Recently, the Personal Data Protection Committee (the “PDPC”) of Thailand has issued two draft notices regarding the cross-border transfer of personal data under the Personal Data Protection Act B.E. 2562 (the “PDPA”). One of the two notices is the “(draft) Notice of PDPC re Principle of Personal Data Protection for Cross-border Transfer according to Section 28 of PDPA” (the “Section 28 Draft Notice”) and the other is the “(draft) Notice of PDPC re Principle of Personal Data Protection for Cross-border Transfer according to Section 29 of PDPA” (the “Section 29 Draft Notice”).

The PDPA provides several options for legal processes to be taken in regard to cross-border transfer of personal data. However, because PDPA’s sub-regulations which are supposed to explain further details of such options have not been published by the PDPC, as of now, in practice there has been no feasible option to take other than obtaining individual consent from the data subjects. The Section 28 Draft Notice and Section 29 Draft Notice may give detailed instructions for such several options and could make a great impact to personal data practices in Thailand in terms of cross-border transfer.

Draft Notice according to Section 28

(1) Adequate Personal Data Protection Standards

Section 28 of the PDPA prescribes that the destination country that receives personal data shall have adequate personal data protection standards. According to the Section 28 Draft Notice, the factors to be considered regarding whether the destination country has “adequate personal data protection standards” are as follows:

(a) The destination country has legal measures or mechanisms regarding personal data protection that are not more lenient than Thailand's PDPA.

(b) There is an agency or organization that has duties and the authority to enforce laws and regulations regarding personal data protection which is not more lenient than Thailand's PDPA.

(2) Whitelist Countries

According to the Section 28 Draft Notice, the PDPC may publish a whitelist of the destination countries to which personal data may be transferred from Thailand under the PDPA.

Draft Notice according to Section 29

(1) Definition of “Personal Data Transfer”

The definition of “Personal Data Transfer” is a transfer of personal data by the data exporter physically or remotely via a computer system or internet network to the data importer, excluding the sending and receiving of personal data in a manner that is only an intermediary for data transit between computer systems or network systems, or the data storage in a temporary or permanent form, which there is no third-party’s access to such data except for the data controller or data processor as the data exporter or its personnel, employees, staff.

(2) Appropriate Safeguards

Section 29 Paragraph 3 of the PDPA prescribes as follows:

Section 29 Paragraph 3

In the absence of a decision by the Committee in accordance with section 28, or the Personal Data protection policy referred to in paragraph one, the Data Controller or the Data Processor may send or transfer the Personal Data to a foreign country in exemption to compliance with section 28, if the Data Controller or the Data Processor provides suitable protection measures which enable the enforcement of the data subject’s rights, including effective legal remedial measures according to the rules and methods as prescribed and announced by the Committee.

Under the Section 29 Draft Notice, the appropriate safeguards subject to Section 29 paragraph 3 above may be set forth in the following forms:

 (1) A contractual clause that follows the acceptable contractual clause for the transfer of personal data, such clause is the contractual clause for personal data protection regarding cross-border transfer the PDPC determines that the data exporter and the data importer shall use to determine the duties and conditions of the parties in order to have appropriate personal data protection measures;
 (2) Certification that the data controller or data processor has appropriate safeguards about the collection, use and disclosure regarding the cross-border transfer, and is in accordance with acceptable standards; or
(3) Requirements for personal data protection measures in instruments or agreements that are legally binding or enforceable between government agencies of Thailand and government agencies of other countries in case of a transfer between such government agencies.

(3) Contractual Clause accepted under PDPA

The aforesaid contractual clause that follows the acceptable contractual clause for the transfer of personal data shall match one of the following requirements.

(I) The contractual clause the parties establish shall contain, at minimum, the details and clauses related to personal data protection as follows:

(a) The collection, use, and disclosure of personal data, including the personal data transfer to a data importer shall be in accordance with the PDPA.
(b) A data exporter and a data importer shall provide security measures meeting the minimum standard according to the PDPA.
(c) In case that a data importer is a data processor,
(c-1) The data importer shall collect, use, or disclose personal data only pursuant to the instruction given by a data exporter or on behalf of a data exporter and the purpose specified by the data exporter.
(c-2) The data importer shall contact the data exporter at the first possible opportunity if the data subjects request to exercise their rights according to the PDPA unless the data exporter has assigned the data importer to process such request instead of the data exporter.
(c-3) The data importer shall return personal data in accordance with the contractual clause to the data exporter or erase or destroy or anonymize such personal data by the appropriate means according to the criteria and conditions specified by the data exporter. The data importer shall ensure in writing to the data exporter when such action has been taken.
 (c-4) The data importer shall report a personal data breach according to the PDPA to the data exporter without delay and, where feasible, within 72 hours after having become aware of it.
(d) In cases where a data importer is a data controller, the data importer shall notify the data exporter of a personal data breach under the PDPA, if such data exporter is a data controller, without delay and, where feasible, within 72 hours after having become aware of it, unless such personal data breach is unlikely to result in a risk to the rights and freedoms of the Persons.
 (e) There must be legal remedies for data subjects or the rights that data subjects will receive effective legal remedies.

(II) The contractual clause shall contain the clauses specified in the ASEAN Model Contractual Clauses for Cross-Border Data Flows (MCC).

(III) The contractual clause shall contain the clauses specified in the Standard Contractual Clauses for the Transfer of Personal Data to Third Countries (SCC) of the General Data Protection Regulation (GDPR).

(4) Amendment of MCC and SCC

The clauses in MCC and SCC may be amended only in the following cases:

(1) to amend only the part related to reference laws or applicable laws to be in accordance with the PDPA, other relevant laws of Thailand, and this Notice;
(2) to translate to other languages while maintaining the same meaning;
(3) to take the relevant modules according to the form of relationship between data exporter and data importer in order to become a part of the contractual clause;
(4) to choose to use or not to use the optional clause in the MCC as a part of the contractual clause;
(5) to amend the information in the appendix to be appropriate;
(6) to use the clauses of the MCC or SCC as a part of other contracts or agreements without conflicting with the original clauses and has no greater impact on the rights and freedoms of data subjects than before;
(7) to add other clauses to the contractual clause or add appropriate security measures without conflicting with the original clauses and has no greater impact on the rights and freedoms of data subjects than before.

Authors:
Monchai Varatthan
Shota Sugiura
Marin Viriyapongpanich (Lin)